CVE-2012-10046 CRITICAL

CVE-2012-10046: E-Mail Security Virtual Appliance learn-msg.cgi Command Injection

Vendor Esva-Project
Product E-Mail Security Virtual Appliance
Weakness CWE-78
Published August 8, 2025
Last update April 7, 2026
View on NVD All CVEs

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The E-Mail Security Virtual Appliance (ESVA) (tested on version ESVA_2057) contains an unauthenticated command injection vulnerability in the learn-msg.cgi script. The CGI handler fails to sanitize user-supplied input passed via the id parameter, allowing attackers to inject arbitrary shell commands. Exploitation requires no authentication and results in full command execution on the underlying system.

Key dates

02Disclosure timeline

August 8, 2025 CVE published
April 7, 2026 Record updated